Specification 

GROUP SIGNATURE GENERATION SYSTEM USING MULTIPLE PRIMES 
BACKGROUND OF THE INVENTION 

Field of the Invention: 

5 The present invention relates generally to cryptographic systems, and more particularly to 

a system and method for generating an authentic cryptographic group signature. 

Description of the Prior Art: 

The application of a signature to a document may serve to indicate that the document 
originates from the signer, or to show that the signer somehow endorses the information 
Hi communicated by the document. In the context of business, signatures are customarily applied 
O to documents for the purpose of forming contracts and executing financial transactions. In 
SJ government, a properly signed document may serve to ratify a law or a government action. 
; 1 With the advent of computer networking, electronic documents have been gradually 

55 replacing paper documents. Validating the authenticity of electronic documents is a problem that 
i-S has been addressed by digital signatures A digital signature of a message is a number which is 
^1 the result of a calculation dependent on some secret known only to the signer, and also on the 
O content of the message being signed. A signature must be verifiable. If a dispute arises as to 
tl whether a party signed a message, an unbiased third party should be able to resolve the matter 

without requiring access to the signer's secret information. 
20 Digital signatures may be created and verified by cryptography. Digital signatures 

commonly use public key cryptography, which employs an algorithm using two different but 
mathematically related keys; one for creating a digital signature or encoding data, and another 
key for verifying a digital signature or decoding the message. Computer equipment and 
software utilizing this method are commonly known as asymmetric cryptosystems. 
25 The keys of an asymmetric cryptosystem are commonly referred to as the private key, 

known only to the signer and used to create the digital signature, and the public key which is 
used to verify the digital signature. If many people need to verify a signer's digital signature, the 
associated public key must be available. A public key may be published or held in an on-line 
repository or directory where it is easily accessible. Although the public and private keys are 
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mathematically related, it is extraordinarily difficult to derive the private key from knowledge of 
the public key. Thus, although people may know the public key of a given entity and use it to 
verify that entity's signatures, they cannot discover the private key and use it to forge digital 
signatures. This is sometimes referred to as the principle of irreversibility. 
5 Hash functions are commonly used in software for creating and verifying digital 

signatures. A hash function is an algorithm used to create a digital representation in the form of 
a hash value or hash result of a standard length which is usually much smaller than the message. 
Any change to the message produces a different hash result when the same hash function is used. 
In the case of a secure hash function, sometimes termed a one-way hash function, it is 
1 0 computationally infeasible to derive the original message from knowledge of its hash value. 

Use of a digital signature usually involves two processes, one performed by the signer 
and the other by the receiver of the digital signature. Creation of a digital signature usually 
O includes deriving a hash value of the message to be signed and then performing a mathematical 
ij operation on that value using the private key. Typically, the digital signature is attached to the 
f*f corresponding message and transmitted to a second party. Verification of the digital signature is 

'•srsi 

CO accomplished by computing a new hash result of the original message using the same hash 
y, function that was used to create the digital signature. Using the public key to invert the received 
j*f signature, and then comparing that with the new hash result, a verifier may check: whether the 
O digital signature was created using the corresponding private key; and whether the newly 
£0 computed hash result matches the original hash result which was transformed into the digital 
signature during the signing process. Verification software typically confirms the digital 
signature as verified if: the signer's private key was used to digitally sign the message, which is 
determined to be the case if the signer's public key is used to verify because the signer's public 
key will only verify a digital signature created with the signer's private key; and the message was 
25 unaltered, which is found to be the case if the hash result computed by the verifier is identical to 
the hash result extracted from the digital signature during the verification process. 

The use of digital signatures has already proven to be a reliable and secure means of 
authenticating digital messages. However, the applicants of the present patent application have 
observed that conventional asymmetric cryptosystems do not provide a means for generating 
30 group digital signatures where a document must be signed by more than one person. 
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Corporations, government bodies, and other organizations often institute policies that 
require more than one authorized individual to endorse a certain type of decision before the 
organization may act as a whole. To approve a decision made on behalf of an organization, it is 
a necessary and common practice to prepare a document that must be signed by more than one 
5 individual. For example, a corporation may require that a purchase order for goods or services 
exceeding a certain amount must be signed by a requesting employee, a manager, and finally a 
vice president. This purchase order would bear the name of the corporation, and would explain 
that the purchase order is only valid if it bears all of the required signatures. 

What is needed is a secure system and method for generating a group digital signature 
10 wherein each of a group of individuals may sign a message M to create a group digital signature. 

Summary of the Invention: 

O It is an object of the present invention to provide a system and method for generating a 

hj group digital signature wherein each member of a group of authonzed individuals must sign a 

message M to create a group digital signature S. 
V§ It is another object of the present invention to provide a system and method for 

3 generating a group digital signature wherein each of the group of individuals sign the message M 
JTJ using a unique individual private key that is not known or accessible to other members of the 

O It is a further object of the present invention to provide a system and method for 

fO generating a group digital signature wherein more than one such group of individuals may be 

authorized to sign a message M to create the same group signature which is the signature of the 

entity that includes all of the groups. 

It is yet another object of the present invention to provide a method for creating and 

distributing individual private keys to individuals within different groups, wherein each group is 
25 capable of generating a group signature for a common entity that includes all of the groups, and 

wherein each private key may be used to generate a partial digital signature. 

Briefly, a presently preferred embodiment of the present invention includes a method for 

generating a group digital signature wherein each of a group of individuals may sign a message 

M to create a group digital signature S, wherein M corresponds to a number representative of a 
30 message, 0 < M < n-1, n is a composite number formed from the product of a number k of 
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distinct random prime factors pi»p2*. . ••Vk, k is an integer greater than 2, and S = M d (mod n). In 
accordance with one embodiment, the method includes the steps of: a first individual in a group 
performing a first partial digital signature subtask on a message M using a first individual private 
key to produce a first partial digital signature Si; at least a second individual in the group 
5 performing a second partial digital signature subtask on the message M using a second individual 
private key to produce a second partial digital signature S 2 ; and combining the partial digital 
signature results including the results Si and S 2 to produce the group digital signature S 
corresponding to the message M. 

In accordance with one aspect of the present invention, the of the individual private keys 
10 includes: an associated individual modulus n\ that is a number formed as a product of one or 

more of the k prime factors of the group modulus n; and an associated individual private 
^ exponent di that is determined based on a selected public group exponent e, and also based on the 
O prime factors of the associated individual modulus ni. Each of the individual private exponents di 
sj may be determined as a number congruent to the inverse of the public group exponent e, modulo 
|5 the Euler Totient function of the associated individual modulus n*. 

CO In one embodiment, the first individual is assigned a first number mi of the k prime 

L factors of the group modulus n and the second individual is assigned a second number m 2 of the 

k prime factors of the group modulus n. In this embodiment, the first individual private key 
CI includes: an associated individual modulus ni that is determined as the product of a number mi 
|Q of distinct prime factors of the group modulus n; and an associated individual private exponent 

di that is determined based on a selected public key exponent e and based on the mi prime 

factors of the associated individual modulus in accordance with 

d x = e x mod (Y[( Pj 1 ), 

wherein pj ... p mJ represent the first number mi of the distinct prime factors. 
25 The first partial digital signature Si may be generated based on the relationship 

Si-M" 1 (modni). 

In accordance with one aspect of the present invention, the step of combining the results 
associated with the first and second partial digital signatures includes combining the results in 
accordance with a Chinese Remainder Algorithm. In one embodiment, the step of combining 
30 results of the sub-tasks is performed in accordance with the relations 
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Yj = Yj.i + ((Si -Yj.i) (Wi _1 mod nO mod n*) • Wj mod n, 
wherein 2 < i < z, and 

S=Y k , Yi=S h and w^f]*; 

In another embodiment, the step of combining results of the sub-tasks is performed in 
accordance with the relations 

z 

S ^^^.(w. -1 modn i )w i modw, 

i=l 

wherein 

The foregoing and other objects, features, and advantages of the present invention will be 
apparent from the following detailed description of the preferred embodiment which makes 
reference to the several figures of the drawing. 

In The Drawing: 

FIG. 1 is a block diagram generally illustrating a computer system network that may be 
used in accordance with the present invention for generating a group digital signature based on a 
plurality of partial digital signatures; 

FIG. 2 is a block diagram generally illustrating one embodiment of an individual system 
that may be used in the network of FIG. 1 to create one of a plurality of partial digital signatures 
that may be combined to form a group digital signature in accordance with the present invention; 

FIG. 3 is a table diagram illustrating one example of the creation and symmetric 
distribution of individual private keys to members of a number G of different groups, each group 
having Z individual members, wherein the members of each group may act collectively to 
execute the same group digital signature, and wherein each individual private key is created 
based on an associated individual modulus n gjZ formed from a unique combination of M primes 
selected from a total number of primes K; 

FIG. 4 is a table diagram illustrating a plurality of individual partial digital signatures 
each being associated with one of the individuals in one of the groups illustrated in FIG. 3, 
wherein each group may execute the group digital signature only upon execution of each of the 
partial digital signatures by each member of the group; 
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FIG. 5 is a table diagram illustrating an example of an asymmetric distribution of a 
plurality of individual private keys to members of a plurality of different groups, wherein at least 
one individual in at least one of the groups is assigned a modulus formed from a different 
number of primes as compared with the number of primes forming the moduli assigned to other 
5 members of the same group; 

FIG. 6 is a table diagram illustrating an example of an asymmetric distribution of a 
plurality of individual private keys to members of a plurality of different groups organized to 
operate in a hierarchical manner, wherein at least one high level shared member must ratify the 
execution of a group digital signature by at least one of the different groups; and 
10 FIG. 7 is a generalized flow diagram illustrating a process of generating a group digital 

signature in accordance with one embodiment of the present invention. 

Detailed Description of the Preferred Embodiments: 

Z j Often in a corporate environment, there are certain business decisions that may only be 

! *fi approved by a group of specified individuals of the corporation, that is wherein no single 
IS individual can approve the decision alone. As an example, a corporate structure may require that 
y £ certain financial decisions which bind the corporation may only be made on behalf of the 
Ljj corporation by a specified group of financial officers who may act only upon ratification of a 
C3 decision by all of the officers. The corporate structure and protocol may also dictate that the 
2 outside world need not know exactly which individuals of the corporation are approving 
20 decisions. The present invention provides a method and apparatus of generating a group digital 
signature that satisfies each of the aforesaid requirements. 

A business entity (e.g., a corporation), or other organization, may include a number of 
different groups (e.g., different divisions of a corporation, or different committees of an 
organization) each including a plurality of individuals (e.g., designated officers of a corporate 
25 divisions). The entity may desire to have a single digital signature that may be generated by 
each of the different groups of individuals. The system and method of the present invention 
provides for creating and distributing individual private keys to a plurality of authorized 
individuals each of whom may then sign a message using his or her associated individual private 
key to create an associated partial digital signature. The partial digital signatures are then 
30 combined mathematically to create a group digital signature. In accordance with one 

embodiment of the present invention, none of the individuals in the group holds more than one of 
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the private keys, and therefore, each of the individual members of a group must sign the message 
to create the group digital signature. 

A business entity, or other organization, may also wish to empower different groups of 
individuals within the entity to act on behalf of the entity. However, the entity may desire to 
5 have a single public key that may that may be used to verify group signatures generated by any 
of the different groups of individuals. For example, a corporation may include a number of 
different divisions each having a plurality of individuals (e.g., designated officers of the 
divisions) authorized to make decisions on behalf of that division only as a group. If the 
corporation desires to have only one corporate public key, then the authorized individuals within 
10 each of the different divisions must be able to generate the corporate signature. Where an entity 
, wishes to empower different groups of individuals to act on behalf of the entity, the system and 
O method of the present invention provides for creating and distributing individual private keys to 
yj the individuals within the different groups in accordance with a scheme wherein each group is 
P l capable of generating a valid signature for the entity. However, any outside party receiving a 
If signed message from the entity would not be able to distinguish which group generated the 
a signature. 

JIT FIG. 1 shows a block diagram generally illustrating a network system at 10 that may be 

ft! used to facilitate the method of the present invention for generating a group digital signature, 
p The system 10 includes a local corporate network system 12 communicatively coupled with a 
16 third party computer system 14 via a network 1 6 such as an IP network (e.g., the Internet). The 
corporate network system 12 includes a plurality of individual systems 16 each being 
communicatively coupled with the third party computer system 14 via a local area network 
(LAN) 18 that is connected to the network 16. 

The system 12 also includes a key generation and issuance unit 19 for generating and 
25 issuing private keys to be used by individual members of one or more groups for generating 
digital signatures in accordance with the present invention. In accordance with the present 
invention, private keys generated by the unit 19 must be issued to individuals via a secure 
channel. In one embodiment, private keys generated by the unit 19 are issued to individuals via 
secure channels implemented over the network 18. In another embodiment, the key generation 
30 and issuance unit 19 may be a smart card key loading facility that issues private keys to 

individuals by insertion of a smart card into the unit. As explained below, the smart card and the 
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issuance facility may be implemented in accordance with any commercially available smart card 
technology. In one embodiment of the present invention, the key generation and issuance unit 
19 also pre-computes parameters for use in combining the partial digital signatures in to a group 
digital signature. As further explained below, the group digital signature parameters may include 
weighting factors used for combining the partial digital signatures in accordance with a Chinese 
Remainder Algorithm. 

The system 12 further includes a gateway system 20 including a secure combining entity 
for combining the partial digital signatures in to a group digital signature. In addition, this entity 
may perform such functions as receiving and storing partial signatures for a given message until 
a sufficient set is available for combining, receiving and storing different messages until signed, 
and verifying the validity of each group signature produced (using the public key) before issuing 
the signed message to the designated external recipient. In the depicted embodiment of the 
present invention, the secure combining entity receives the group digital signature parameters 
from the key generation and issuance unit 19. In an alternative embodiment of the present 
invention, the key generation and issuance unit 19 and the gateway system 20 may be integrated 
within the same unit. 

FIG. 2 shows a block diagram generally illustrating an embodiment at 50 of one of the 
individual computer systems 14 that may be used in accordance with the present invention. In 
varying embodiments, the system at 50 may be a personal computer, a personal digital assistant 
(PDA), a cellular telephone, or any other electronic means for storing, reading, or generating an 
individual private key value that may be used to create a partial digital signature associated with 
an individual. In the depicted embodiment, the system 50 includes: a processing unit 52 
communicatively coupled with a system bus 54; an input/output unit 56 such as a keyboard pad 
coupled with the processing unit via the system bus; a non- volatile memory unit 58 (e.g., a hard 
disk drive, or an erasable programmable ROM) coupled with the processing unit via the system 
bus; and a network interface 62 providing for communication with remote devices via a network 
(e.g., a local area network (LAN), or an Internet Protocol (IP) network), and also being 
connected to the system bus. 

The non-volatile memory unit 58 provides for storing computer readable instructions 
including instructions for generating an individual partial digital signature using an individual 
private key associated with a unique individual RSA-type system that uses an associated 
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individual modulus consisting of a number of primes controlled by the associated user of the 
individual computer system. The non-volatile memory unit 58 may be used to store an 
individual private key. In another embodiment of the present invention, the individual private 
key may be maintained in a more secure environment in accordance with any of a variety of well 
5 known methods for secure maintenance of a private data. For example, the individual private 
key may be stored on a smart card held by the individual. In this embodiment, the system 50 
may include a smart card reader 63 connected to the system bus for reading the individual private 
key so that it may be used to generate an individual partial digital signature as explained below. 
All that is important is that each private key be stored within a secure boundary, and that each 
1 0 partial signature be computed within a secure boundary so that even the individual does not 

know his own private key or related intermediate results. 
L .. In accordance with one embodiment, the system 50 may optionally include one or 

D more exponentiation units 64 each being operative to perform exponentiation operations, 
y U.S. patent application No. 09/328,726, filed on October 26, 1998, by Collins et aL . 
|| which is incorporated herein by reference, describes a Multi-Prime cryptographic scheme 
W which uses a composite modulus having more than two prime factors. In accordance 
* with the Multi-Prime cryptographic scheme, a public key E (including a composite 
«i number n and a number e) is determined. A plurality of k (wherein k is an integer greater 
[jf than 2) random large, distinct prime numbers, pi, p2, . . .pk are developed and checked to 

29 ensure that each of (pi-1) , (p2-l)> . . and (pk-1) is relatively prime to the number e. 

r " Preferably, the prime numbers pi, p 2 , . . .pk are of an equal length L in bits. Then, the 
composite modulus n is defined in accordance with relationship (1) below, 

n = pi -p 2 - ... -pk (1) 
As further explained below, the composite number n provides a modulus for encrypting 
25 and decrypting, and the prime numbers (or "primes") pi, p2, . . .pk are referred to as factors of the 
modulus n. The primes pi, p 2> . . .pk must satisfy three general criteria in order to be used in a 
Multi-Prime cryptographic system. The primes pi, p 2 , . . .pk must satisfy the criteria of being 
distinct, random, and suitable for use in the Multi-Prime cryptographic system. 

In order to be distinct, the primes pi - pi, P2 ? . . -Pk must satisfy the constraint (2), below. 

30 Pi*Pjfori*j (2) 
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In order to be considered random, each of the primes must be produced with equal 
likelihood and uniformly across the allowed range of values, and they must be statistically 
independent, that is the prime numbers must satisfy the constraint (3), below: 

P (Pj = Pb|Pi = Pa) = P(Pj = Pb) (3) 
wherein P(pj = p B ) is the probability that pj takes the value p B and P(pj = p B |pi = Pa) is the 
probability that pj takes the value p B knowing that pi has the value p A . 

In order to be suitable for use in the Multi-Prime cryptographic system, the primes pi = 
Pb p2, . • .pk must satisfy the constraints (4a) and (4b), below. 

2 L ~ l < pi -p 2 - ... -Pk < 2 L y (4a), and 

e does not have any common divisors with pi-1 (4b) 

Stated alternatively, constraint (4b) requires that each prime pi must satisfy the 
relationship; GCD(e, pi - 1) =1. This constraint requires that the public exponent e and (pi -1) be 
relatively prime. If e and (pi-1) have a common divisor greater than 1, then pi must be rejected 
as a suitable key prime. 

It is also noted here that there is an alternative statement of this constraint on the primes 
which may be considered for use in an RSA type cryptographic system. This constraint is 
reflected in the linear congruency of relationship (5), below. 

e • d = 1 mod (|)(n) (5) 

where <|)(n) is Euler's totient function. Here, d is the private key exponent and is the 
multiplicative inverse of e mod §(n) where e is the public key exponent. The Totient function 
may be expressed in accordance with relationship (6), below. 

Kn) = (pi-l)*(p 2 -l)...*(p k -l) (6) 

where n = pi -p2- ... -pk. 

The linear congruency of relationship (5), above has a unique solution d if and only if 
GCD(e, <|)(n)) =1. That is, e must be relatively prime to <|>(n). This means that e must not have 
common divisors with (pi-1) or (p2-l) ... or (prl). 

A private key D = (n, d), including the modulus n and private key exponent d, is 
established in accordance with relationship (7), below 

d ^ e 1 mod ((pi-1) (p2-l) . . . (p k -l)) (7) 
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In accordance with the digital signature application of the multi-prime cryptographic 
scheme, the signing of a message M begins with computation of the hash value h(M) of the 
message M using any one of several well known hash functions. For simplicity, the hash value 
of a message M is represented hereinafter simply as "M". The hash of the message M is then 
encoded to a signature S by an encoding process using the private key D in possession of the 
sender. In this application, the digital signature process of the multi-prime scheme is performed 
in accordance with relationship (8), below. 

S^M d (modn), (8) 

wherein 

0<M<n-l, 

A verification process of the Multi-Prime signature scheme provides for converting the 
signature S to a candidate hash h(M)' using the public exponent e as a verification exponent in 
accordance with relationship (9) below. 

h(M)' ssS e (modn), (9) 

A party wishing to verify the signed message M would of course need to know the public 
key including modulus n and the public exponent e in order to compute h(M)\ After computing 
h(M)\ if it is determined that h(M) = h(M)', the signature would be verified as originating from 
the entity associated with the public exponent e and the modulus n. 

The multi-prime cryptographic group signature process for a group of z members 
includes a first step of defining a plurality of z sub-tasks in accordance with relationships (10) 
below. 

51 s Af* 1 (modni), 

5 2 = M/ 2 (mod n 2 ), 

S z =M/ 2 (modn z ) 3 
wherein 

Mi s M (mod ni), 
M 2 = M (mod n 2 ), 

M z = M (mod n z ), 

di s d (mod <J)(ni)), 
d 2 = d (mod <|>(n 2 )), 
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d z s d (mod (|)(n z )), and 

(|)(n) represents Euler' s Totient Function. (10) 
The above recited sub-tasks are then solved to determine results Si, S2, ... S z which are 
subsequently combined in accordance with a combining process to produce the signature S. The 
Chinese Remainder Theorem provides a mathematical proof which proves the existence of a 
unique solution to the sub-tasks described in accordance with the congraency relationships (10) 
above. 

U.S. patent application No. 09/328,726 teaches the use of either a recursive combining 
process or a summation process for combining the results Si, S2, ... S z to produce the signature S. 
The recursive combining process may be performed in accordance with relationship (11), below. 

Yi s Yj_i + ((Si -Yj_i) (wf 1 mod nO mod nO • wj mod n, (1 1) 

wherein 2 < i < z, and 

S=Y k , Yi=Si,and w^fj^. 

The summation combining process may be performed in accordance with relationship 
(12), below. 

z 

S s J] S i (w. -1 mod n i )w i mod n, (12) 
wherein 

In the described embodiment of the present invention, the CRT combining parameters Wj, 
also called weights, constitute the group digital signature parameters pre-computed by the key 
generation and issuance unit 19 (FIG. 1). The CRT parameters Wi are precomputed by the key 
generation and issuance unit, and securely passed to the secure combining entity of the gateway 
system 20 (FIG. 1) for use in combining partial digital signatures into a group digital signature. 

A public key may be associated with any type of entity including an individual, a group 
of individuals, an office, a corporate entity, or a particular department of a corporation. The 
present invention provides a novel system and method enabling a group of individual signatories 
to digitally sign a message that may be validated using a group public key pair E = (e, n) wherein 
e provides a group public key exponent, and n provides a group modulus defined in accordance 
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with relationship (1) reproduced below, 

n = pi -p 2 - ... -pk (1) 
wherein k is the total number of prime numbers allocated for the group. As further explained 
below, the composite number n provides the group modulus for signing and verifying messages 
5 associated with an entity represented by the group, and the prime numbers pi, p2, . . .pk are 
referred to as factors of the group modulus n. As mentioned, the prime numbers pi, p2, . . .pk 
satisfy the criteria of being distinct, random, and suitable in accordance with relationships (2) 
through (6), above. The private key D, defined in accordance with relationship (7) above, which 
includes the composite number n and the private exponent d, provides a group private key which 
10 is never revealed or distributed. 

In accordance with the present invention, a message M is signed by a group of 
individuals to a create a signature S by a signing process using the group private key D wherein 
O each of the members of each group has control over at least one of the prime factors pi, p 2 , . . .pk, 
C] and wherein each group of individuals collectively has control of all of the prime factors pi, p 2 , 
f !f . . .pk, but wherein no single one of the individuals of the group controls all of the prime factors 
00 used by the entity. 

L The total number k of prime numbers may be allocated to the individuals of a group in a 

fjj number of different ways. Each of the individual signatories of a group is assigned at least one 
o of the whole set of prime numbers pi, p 2 , . . .pk.. This may be expressed as a number of 
2§ combinations of k primes. 

Each of the individual members of a group is assigned at least one of the total number k 
of prime numbers pi, p 2 , . . .pk. The prime number(s) assigned to each individual are used to 
create an associated individual modulus and an associated individual private key to be used by 
the individual to generate an individual partial digital signature in accordance with a unique 
25 individual RSA-type system. In accordance with the present invention, individual moduli must 
be relatively prime within a group, requiring that the component primes not be shared. Also in 
accordance with the present invention, different combinations of the total number k of prime 
numbers pi, p 2 , . . .p k . may be assigned to different individuals. 

In accordance with a symmetric distribution of the primes to individuals of one or more 
30 groups, each of the individuals of each group is assigned an individual private key Dind that is 
formed based on a number m of prime factors, wherein m < k. The number of combinations of 
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the k prime factors taken m at a time dictates the number of unique individual private keys that 
may be created based on the total number k prime factors. The number of combinations of k 
prime factors taken m at a time may be expressed in accordance with relationship (13), below. 



A = 



\ m J 



(13) 



m!(k-m)! 

This total number of combinations A is partitioned into G groups of Z members each, so A = G • 
Z, where Z = k/m. Thus 

A = G • Z = G • k/m, and 

G-A-S... 



k (m-l)!(k-m) 

In one type of embodiment employing a symmetric distribution, k is even, m = 2, Z = k/2, and G 
W = (k-l)!/(k-2)! = k-1, which relations may be used in reverse to construct such a system, for 
O example choosing Z = 4 yields k = 8, G = 7, m = 2, and A = 28. 

%j FIG. 3 shows a table diagram illustrating one example of the creation and symmetric 

J distribution of individual private keys to members of a number G of different groups, each group 
SB having Z individual members, wherein the members of each group may act collectively to 
1| execute the same group digital signature, and wherein each individual private key is created 
^ based on an associated individual modulus formed from a unique combination of m primes 
O selected from the total number of primes k. In the example depicted in FIG. 3, it is assumed that 
2 there is a total number k = 6 of prime factors used in the group Multi-Prime cryptosystem, and 

that each individual is to be assigned a number m = 2 of prime factors for forming an individual 
20 private key Dind- 

In the depicted example, a unique private key pair Dind = (d g>z > niND) may be assigned to 
each of fifteen different individuals wherein g is the number of groups authorized to act on 
behalf of the entity using the group private key D, and z is the number of individuals in each 
group. Because each of the individuals is assigned m=2 prime values and because there are only 
25 a total of k = 6 prime values in the group Multi-Prime crypto-system, each group may include 

only z = 3 individuals each being assigned a unique selected pair of the prime factors. Therefore, 
in the present example, g = 5 groups are formed wherein each group consists of z = 3 individual 
members. 

Each of the individual moduli % z within a group have no common factors. For example, 
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none of the three individual moduli in GROUIM (nn=pip 6 , ni2=P2p3, and ni3=p 4 p 5 ) include 
common factors. As mentioned above, each of the individual moduli n g)Z should be protected for 
security purposes. Referring back to FIG. 1, each individual modulus % z may be stored in a 
secure memory location (which may itself be cryptographically protected) within an associated 
5 one of the individual systems, or may be contained in an associated one of the individual systems 
from a smart card held by the associated individual 

In order for one of the groups to generate the group digital signature S, each of the 
individual members of the group must sign a message using an associated unique individual 
private key pair Dind = (cfojD, Hind) wherein diND is an individual private key exponent, and ni N D 

10 is the composite number providing the individual modulus. So, each of the individuals generates 
a partial individual signature S gjZ in accordance with an associated individual cryptosystem 

M defined by d^D and n^D. Each of the partial individual signature S g , z is generated in accordance 

q with relationship (14), below. 

t;j S g , z ^ M dg,z (modn g , z ) (14) 

1 § wherein d g>z is the individual private key exponent d^D associated with the particular individual. 

Partial digital signatures are generated by each individual at a corresponding one of the 
H individual systems 16 (FIG. 1) based on the associated individual cryptosystem defined by the 
HI associated individual modulus n^D and the associated individual private key exponent diND- For 
Jij example, the INDIVIDUAL__1 in GROUIM, assigned the individual modulus ni i=pip6, 
1% generates a first partial digital Sn in accordance with, 

S U 3 M dhl (modn u ) 

wherein di,i s e" 1 mod (|)(% z ) 

FIG. 4 shows a table diagram illustrating the partial digital signatures associated with 
each of the individuals in each of the groups illustrated in FIG. 3. Each of the groups of 

25 individuals may complete the same group digital signature S only upon execution of each of the 
partial digital signatures by each of the associated members of the group. In the example 
depicted in FIGS. 3 and 4, the individual private keys are created and distributed so that none of 
the partial digital signatures can be used outside of its associated group to form a valid group 
digital signature. None of the partial digital signatures can be combined outside of its associated 

30 group to form the enterprise signature because all of the moduli used to generate enterprise 
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signature must be relatively prime. The primes are distributed so as to prevent useful 
combination of partial digital signatures across groups. 

FIG. 5 shows a table diagram at 80 illustrating an example of an asymmetric distribution 
of a plurality of individual private keys to members of a plurality of different groups, wherein at 

5 least one individual in at least one of the groups is assigned a modulus consisting of a different 
number of primes as compared with the number of moduli assigned to other members of the 
same group. In the depicted example, a total number of k = 3 prime factors (pi, p 2 , and p 3 ) are 
distributed across three groups each having two individual members. A first individual 
(INDIVIDUAL^) in each of the three groups receives an associated one of the three prime 

10 factors. The second individual (INDIVIDUAL^) in each of the three groups receives the other 
two of the three prime factors which were not assigned to the first individual. In accordance with 

h this form of asymmetric distribution, the members of each group are still isolated in that the 

!H partial digital signatures cannot be combined across groups to form the valid group digital 

K 4 signature. 

i| FIG. 6 is a table diagram illustrating an example of an asymmetric distribution of a 

^ plurality of individual private keys to members of a plurality of different groups that are 
M= organized to operate in a hierarchical manner, wherein at least one high level common member 
fij must ratify the execution of a group digital signature by at least one of the different groups. In 
~f the depicted example, moduli formed from a total number of k = 5 prime factors (pi, p2, P3, p4, 
3# and p 5 ) are distributed across two groups each having three individual members wherein one 
individual who is a member of both groups uses the same individual private key to ratify 
decisions made by both groups. INDIVIDUAL^!, who is assigned the private key pi, uses the 
private key ni i = pi in GROUP_l and n 2 i = pi in GROUP_2. In accordance with this form of 
asymmetric distribution, the members of each group are not completely isolated because the 
25 partial digital signature associated with INDIVIDUAL_1 can be combined with the partial 
individual signatures of the other members of either group to form the valid group digital 
signature. 

FIG. 7 shows a flow diagram illustrating a process of generating a group digital signature 
in accordance with one embodiment of the present invention wherein the group consists of Z = 2 
30 individuals designated INDIVIDUAL^ and INDIVIDUAL^. The secure key generation and 
issuance unit 19 (FIG. 1) generates and issues individual moduli and private keys to the 
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individual members INDIVIDUAL^ and INDIVIDUAL_2 for generating individual partial 
digital signatures Si and S2 in accordance with the present invention. As described above, the 
individual moduli and private keys are issued to the individuals via a secure channel (e.g., using 
a secure token such as a smart card). The key generation and issuance unit 19 also pre-computes 
and distributes the CRT weights (for use in combining the partial digital signatures Si and S2 into 
a group digital signature) to the secure combining entity of the gateway system 20 (FIG. 1) . 

As shown at 102, a first INDIVIDUAL^ is assigned a first individual modulus m 
formed from primes p a and p b . A first partial digital signature Si for a message M may be 
determined at an associated one of the individuals systems 16 (FIG. 1) in accordance with, 

(mod m), 

wherein the private key elements, 

di s e" 1 mod (j>(ni) 9 and 

ni = p a • pb 

have been previously generated, assigned, and securely issued by the key generation 
facility into the control of INDIVIDUALJ. 

As shown at 104, the second INDIVIDUAL^ is assigned a second individual modulus 
n 2 formed from primes p c and p d . A second partial digital signature S2 may be determined at an 
associated one of the individuals systems 16 (FIG. 1) in accordance with, 
S 2 = (mod n 2 ), 
wherein the private key elements 
d 2 = e" 1 mod <Kn 2 ), and 
n 2 = p c # Pd 

have been previously generated, assigned, and securely issued by the key generation and 
issuance unit 19 into the control of INDIVIDUAL^. 

At completion of a similar subtask by each such member of a particular group, each 
partial signature is transmitted to the secure combining facility which is implemented at the 
gateway system 20. After receipt and accumulation of all of necessary partial signatures by the 
secure combining facility, a Chinese Remainder Algorithm may be used to combine the partial 
signatures Si and S 2 in accordance with either of relationships (11) and (12), above, to generate 
the group digital signature S using the CRT parameters or weights Wi, wf 1 , w 2 , and w 2 ~ l 
previously generated, assigned, and securely issued by the key generation facility into the control 
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of the combining facility. The combining facility may then optionally perform the additional 
step of verifying the signature S using the public key of the entity in accordance with relationship 
(9) above, before transmitting the message M and appended signature S to the designated 
external recipient. Such verification would avoid the issuance of an invalid signature in the case 
of a computational error. 

While the present invention has been described with reference to a few specific 
embodiments, the description is illustrative of the invention and is not to be construed as limiting 
the invention. Various modifications may occur to those skilled in the art without departing from 
the true spirit and scope of the invention as defined by the appended claims. 
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